Omid's TechBlog!

PHP 5.4 Remote Exploit PoC in the wild

2012-05-19T22:22:00.001+04:30

ISC Diary:

There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port.

Since there is no patch available for this vulnerability yet, you might want to do the following:

Block any file upload function in your php applications to avoid risks of exploit code execution.
Use your IPS to filter known shellcodes like the ones included in metasploit.
Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month.
Use your HIPS to block any possible buffer overflow in your system.

Source: http://isc.sans.edu

Call of Duty hacker jailed after meatspace burglary

2012-05-19T22:21:00.001+04:30

theregister.co.uk wrote:

A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up gameCall of Duty has been jailed for 18 months.

Lewys Martin, 20, of Deal in Kent, used the malware to harvest bank login credentials, credit card details and internet passwords from the compromised Windows PCs of his victims. Martin then apparently laundered the credentials via underground cybercrime forums, earning $5 or less for every credential, directing proceeds of his criminal activity towards an offshore account in Costa Rica, funds which remain beyond the reach of UK police.

Martin's activities might have gone undiscovered if not for his arrest during what police described as a drunken attempt to break into a local college and steal computer equipment. Police who raided his home discovered printouts of stolen credit card numbers and papers relating to a fraudulent bank loan, obtained under a false name.

The student was convicted last November but sentence was deferred to allow him to complete a university computer course. However, bail was revoked after Martin was caught with several other individuals trying to break into Walmer Science College in Deal.

He caused hundreds of pounds of damages in criminal damages during the bungled burglary, according to local reports.

Martin was prosecuted and subsequently convicted for three burglary and fraud charges, leading up to a sentence hearing this week when he was jailed for 18 months.

A court clerk at Canterbury Crown Court confirmed the terms of the sentencing this week, which following earlier guilty pleas on the specimen charges. Further fraud charges were taken into consideration in sentencing Martin to a substantial spell behind bars.

Gamers are a popular target for malware distributors. Much of this malign activity is directed at gamers in the Far East but Western shoot-em-up and role-playing fans are also at risk and ought to be wary of malware posing as gaming cracks and other common tricks, as explained in a blog post by Sophos here.

The Pirate Bay hit by DDoS attack

2012-05-17T19:33:00.001+04:30

File-sharing website The Pirate Bay (TPB) has been hit by a Distributed Denial of Service (DDoS) attack.

The site has been largely inaccessible for the last 24 hours, and the service is intermittent in the UK.

The Pirate Bay has confirmed the attack on its Facebook page, saying that it did not know who was behind it, although it "had its suspicions".

A provider of DDoS defense systems said that it was unlikely that the attack came from hacking group Anonymous.

"There will be further attacks, but what's significant about this whole story is that people think that it is the Anonymous attacking a site which is typically a type of site that they defend," said Andre Stewart of Corero Network Security.

"It could be the record labels, or a government somewhere that has had enough of not being able to catch The Pirate Bay, it could be just one person who had rented some cloud power from Amazon and is sitting in a cafe, and is able to launch an attack."

Although some users may have attempted to access the site using proxies, TPB itself warned them against doing so.

Illegal file sharing

"Use proxies at own risk. Don't login unless you trust the proxy supplier. Don't freak out. You'll get your TPB fix tomorrow," said the site.

TPB allows users to illegally obtain copyrighted songs, films and other content for free.

However, others say that it is very difficult to assess the impact of downloading on sales.

"If they're losing money and seeing that the government is not being able to stop it, there's a real monetary value reason for them to try and bring it down," said Mr Stewart.

"And if they can do it in the name of Anonymous then it's great for them.

"Equally the governments that protect these industries are frustrated as well because they haven't been able to see it close down, unlike a number of other torrent sites."

Open and free

Virgin Media began preventing access to the file-sharing site following a High Court order last week.

Some time later the Virgin Media website suffered a hack attack that many thought was organized to protest against efforts to block access to TPB.

Twitter feeds associated with the Anonymous collective wrote: "Virgin Media - Tango Down #OpTPB".

But TPB criticized Anonymous for the attack, writing on its Facebook page that it did not "encourage these actions".

"We believe in the open and free internets, where anyone can express their views," wrote TPB.

"Even if we strongly disagree with them and even if they hate us. So don't fight them using their ugly methods. DDoS and blocks are both forms of censorship."

Source: BBC

Avira update fixes Service Pack bug

2012-05-17T19:24:00.001+04:30

The H-Online: Avira says that it has resolved the problems caused by a Service Pack that was released for its Windows products earlier this week. Users are advised to trigger a manual update to download the fix. Once installed, the update should prevent the program from blocking legitimate Windows applications on systems running Avira.

On Monday, Avira released "Service Pack 0" for all of its Windows products. Once the update was installed, the "ProActiv" behavioral monitoring component in Avira Antivirus Premium 2012 and Avira Internet Security 2012 blocked the execution of essential programs and trusted system processes. For example, ProActiv blocked the Windows registry editor (regedit.exe) and the task scheduler (taskeng.exe).

As the behavior recognition is only included in the company's commercial products for 32-bit versions of Windows, the problem does not affect Avira Free Antivirus or users who run a 64-bit version of Windows.

Those who are affected by the problem need to update Avira manually; once the update has been installed, the ProActiv module can be reactivated. For systems where Windows is having difficulty booting, users are advised to start their systems in safe mode and install the Avira update.

QuickTime for Windows update plugs security holes

2012-05-17T19:21:00.001+04:30

The H-Online: Version 7.7.2 of QuickTime for Windows has been released to address a total of 17 security vulnerabilities in the media player. According to Apple, these include integer, stack and buffer overflows, as well as memory corruption issues, all of which could be could exploited by an attacker to crash the application or execute arbitrary code on a victim's system. For an attack to be successful, a user must first open a malicious web site or a specially crafted file.

The company notes that, on Mac OS X, many of the holes have already been fixed in Mac OS X 10.7.3 and 10.7.4 Lion, and Security Updates 2012-001 and 2012-002 for Mac OS X 10.6.8 Snow Leopard systems. A majority of these vulnerabilities were discovered by members of TippingPoint's Zero Day Initiative (ZDI).

Further information about the QuickTime update can be found in Apple's security advisory. QuickTime 7.7.2 for Windows is available for Windows 7, Vista and XP SP2 or later from Apple's Support Downloads site. Alternatively, those who have the Software Update for Windows tool installed can update by selecting "Apple Software Update" from the Start menu.

RealPlayer update fixes security vulnerabilities

2012-05-17T19:19:00.001+04:30

The H-Online: RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says that none of the, now fixed, holes are known to have been used to compromise systems.

The released update, version 15.0.4.53 of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser.

RealPlayer Versions 11.0 to 11.1 and 14.0.0 to 15.0.3.37, as well as RealPlayer SP 1.0 to 1.1.5 are affected; RealPlayer for Mac is not vulnerable. RealPlayer 15.0.4.53 – available for Windows 7, Vista SP1 and XP SP3 – corrects these problems. All users are advised to upgrade to the latest version. An alternative option is to simply uninstall RealPlayer as very few sites use it exclusively.

Chrome 19 released with tab syncing

2012-05-17T19:17:00.001+04:30

The H-Online: Google has announced that Chrome 19 is the new stable version of its open source based web browser. As usual, the browser sees a number of security fixes: this time there are seven high-severity fixes specifically for Chrome including various use-after-free and out-of-bounds errors. Two fixes with a wider impact than Chrome are also mentioned – a workaround for a Linux NVIDIA driver bug and an "off-by-one out-of-bounds" write in libxml. In all, $7500 was paid out in rewards to security researchers, and Google notes it has also paid out $9000 to researchers to stamp out bugs before they reached its stable channel.

There is only one major new feature in Chrome 19: support for synchronizing tabs between Chrome running on different systems signed in as the same Google user. To access the synchronized tabs, open a new tab and at the bottom of the new tab display is a menu item for "Other Devices" – selecting this displays the various devices and the tabs they have open. This tab synchronization also works with the current Chrome Android Beta, offering an alternative to the Chrome2Phone extension as a way to exchange URLs between desktop and mobile Chrome. Although the functionality for tab synchronization is already in the stable version, Google will only be gradually rolling out the supporting service over the next few weeks.

Google has also included an experimental version of Web Intents in the new stable version of Chrome. Web Intents are designed as a mechanism to allow web applications to work together without having explicit knowledge of the other web applications. Google has been working with Mozilla and at the W3C to develop a specification for the process. Services can register Intents to handle particular tasks. When a web application wishes to perform one of these tasks, with Web Intents it can query the browser to find an appropriate service and then call on that.

The announcement explains that "it's impossible to build a complex API – especially one that requires an ecosystem of apps – without feedback from web developers using it in the wild". The developers expect there will be significant, possibly backwards-incompatible, changes in the API as they get feedback. The API is currently prefixed to stop it being confused with whatever the final version of the API is, and intents must be registered at the Chrome App Store. Web application developers interested in Web Intents can consult "Web Intents in Chrome".

Chrome 19 can be downloaded from Google's page for stable Chrome. Existing users of the Chrome stable channel should be automatically updated to the new version. Chrome is based on Google's open source browser Chromium.

Google bringing new smarts to Search with Knowledge Graph

2012-05-16T23:15:00.001+04:30

Google's Knowledge Graph will display summaries of topics when your query is related to one of the 500 million items in Google's new database of things.

Google has long sought to index the world's information -- and it's now taking things a step farther with an effort to create "a database of everything in the world." And it's bringing this effort to your search results pages.

The new Knowledge Graph project, rolling out to English-language Google Search users over the next few days, provides more data snippets alongside its query results than the search engine currently provides. The results are based on Google's new database of 500 million people, places, and things, says Jack Manzel, Product Management Director of Search at Google. Manzel says there are 3.5 billion attributes and connections between these things in the database.

You'll be able to meander through lists of facts and connections when you are searching for items that are in the Knowledge Graph. As one Google example illustrates, if you search for Frank Lloyd Wright, you'll get a fact box with a summary about him (from Wikipedia), a small collection of biographical facts, and picture links to the buildings he designed. If you click on Fallingwater, you'll get another fact box about that house.

Google has both personnel and technology to curate what results appear in these fact boxes.

Continue Reading at Cnet: Google bringing new smarts to Search with Knowledge Graph

Avira AV update hangs systems

2012-05-15T18:46:00.001+04:30

H-Online Says:

A faulty update for Avira's paid-for anti-virus software blocks harmless processes and may in some cases stop computers from booting. The update results in the ProActiv behavioral monitoring component becoming oversensitive in its treatment of executable files.

According to user reports, ProActiv blocks trusted system processes such as cmd.exe, rundll32.exe, taskeng.exe, wuauclt.exe, dllhost.exe, iexplore.exe, notepad.exe and regedit.exe. In some cases this results in Windows failing to boot properly. It also appears to be blocking non-OS applications such as Microsoft Office, the Opera web browser and Google's Updater program.

All versions which include the ProActiv behavioral monitoring component are affected, including Avira Antivirus Premium 2012 and the enterprise version; only 32-bit systems are affected, as ProActiv doesn't currently support 64-bit operating systems. On the Avira forum, an employee of a company which runs Avira on one hundred computers complains that, "This update has been pretty catastrophic. The whole company ground to a standstill."

In view of the arbitrariness with which the behavioral monitoring component is blocking files, users who have installed the update are advised to disable ProActiv. To do so, access Avira's settings, activate the Expert mode using the switch on the left and uncheck 'Enable Avira ProActiv' under 'Realtime Protection', 'ProActiv'. According to user reports, if Windows is having difficulty booting, this can be fixed in some cases by starting in safe mode and then deactivating ProActiv.

In a statement to The H's associates at heise Security, Avira confirmed the problem and said that its developers are currently working on an automatic update to resolve the bug. The potential scale of the bug is huge – according to Avira, the faulty update has already been downloaded more than 70 million times; this figure includes those running the free version of Avira which is not affected. The company has now stopped distributing the update.

Source: Heise Security

Update: Avira update fixes service pack bug

Sniffer tool displays other people's WhatsApp messages

2012-05-14T02:06:00.001+04:30

The H-Online: WhatsApp Sniffer is an app able to display messages from other WhatsApp users connected to the same network as the app user. The tool diverts all data traffic on, for example, a Wi-Fi network through the user's smartphone and seeks out WhatsApp messages, which are transferred in plain text. All the user requires is a rooted Android smartphone.

The WhatsApp messaging service has established itself as an alternative to texting between smartphone users, because, unlike text messages, users only have to pay for data use. And if a user is in range of a free Wi-Fi point, then it is free to use.

But on public Wi-Fi networks, using WhatsApp turns out to be a very bad idea. Unlike, for example, iMessage, WhatsApp messages are transmitted in plain text, meaning that curious eavesdroppers, along with the intended recipient, can read them.

What previously would have required the use of a range of tools and some basic networking knowledge can now be performed at a stroke using WhatsApp Sniffer. The only way for users who have installed WhatsApp to avoid this is to refrain from using it on any Wi-Fi network that potentially untrusted users could be connected to.

The app uses ARP spoofing to divert all local network traffic through the smartphone. If it finds WhatsApp messages in this traffic, it displays them in a user-friendly conversation-style view. It displays both incoming and outgoing messages and can also display photos and video. A short test by The H's associates at heise Security found that the tool performed just as promised.

WhatsApp Sniffer was originally available to download from Google Play, but was removed a few days ago. This may slow down its dissemination, but it is not going to stop it altogether – a search on Google quickly unearths the APK installation file. The DroidSheep app, which allows users to intercept Facebook sessions and other web services, was also recently removed from Google Play, but is still proving popular.

Microsoft Patch Tuesday more extensive than anticipated

2012-05-10T13:43:00.001+04:30

The H-Online: As previously announced, Microsoft has released seven bulletins to close a total of 23 vulnerabilities on its May Patch Tuesday. The total number of bulletins belies the scope of the patches, however, as the combined update MS12-034 closes various holes in numerous products.

The reason for this is a critical hole in the code for processing TrueType fonts that was exploited by the Duqu spyware last year. The hole was closed in the Windows kernel on the December Patch Tuesday; however, Microsoft has since used a code scanner to track down the vulnerable code in numerous other components; among them is the gdiplus.dll library, which is used by various browsers to render web fonts.

Some of the vulnerable files contained further holes that Microsoft also patched within the same bulletin – meaning that this update fixes a number of other flaws in addition to the original vulnerability. It closes holes in all currently supported versions of Windows (from XP SP3 onwards, including Server), Office, the .NET framework and Silverlight. These "bonus" holes include three privilege escalation problems in the Windows kernel, including flaws in the code for processing keyboard layouts.

Bulletin MS12-029 closes a critical hole in the code for processing RTL documents. It affects Office 2003, 2007 as well as Office Compatibility Packs SP2 and 3. The vulnerability has also been closed in Office for Mac 2008 and 2011. Bulletin MS12-035 addresses two critical holes in the .NET framework.

The remaining four bulletins fix holes that have the second highest threat rating, being classified as "important" by Microsoft. These vulnerabilities affect Office, Visio Viewer 2010, the Windows partition manager and the Windows firewall and TCP stack.

Excuse me, Graham Cluley

2012-05-06T16:49:00.001+04:30

Hi,

You may have noticed that part of my blog posts are copied from other source as I name them (and link them) in beginning of my posts, for example “Naked Security” (SophosLabs).

Just today I noticed a message from “Graham Cluley”, one of the Authors in “Naked Security” blog which asked me to don’t re-post his articles.

In the past I had checked with many of my other sources and did always got me permission to share their articles as long as it comes with a link to the source too and I thought “Naked Security” blog follow same rule too, but seems they don’t.

Anyway I heard your message, Mr. Cluley and next time I will just link to your post directly, hope it will have some more good for you!

Best Regards
-Omid Farhang

PHP patch quick but inadequate

2012-05-05T23:25:00.001+04:30

The H-Online: The updates to PHP versions 5.3.12 and 5.4.2 released on Thursday do not fully resolve the vulnerability that was accidentally disclosed on Reddit, according to the discoverer of the flaw. The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for eight years.

The best protection at present is offered by setting up filter rules on the web server. However, the RewriteRule workaround described on PHP.net is also, according to security expert Christopher Kunz, inadequate. He suggests a slightly modified form of the rule as an alternative.

Because the PHP interpreter for CGI does not comply with the specifications laid out in the CGI standard, URL parameters can, under certain circumstances, be passed to PHP as command line arguments. Servers which run PHP in CGI mode are affected; FastCGI PHP installations are not. The PHP patch is supposed to ensure that parameter strings beginning with a minus sign and which do not contain an equals sign are ignored. According to the discoverer of the vulnerability, this can be bypassed easily. A new, slightly modified patch which uses query_string instead of decoded_query_string for one comparison has already been submitted to the bug tracking system.

Users can determine whether they are affected by the bug by appending the string ?-s to a URL. If the server returns PHP source code, rapid action is required. A Metasploit module which opens a remote shell for executing arbitrary code on vulnerable servers is already available.

Adobe Flash Player update closes critical object confusion hole

2012-05-05T23:23:00.001+04:30

The H-Online: Adobe has released a security advisory relating to an object confusion vulnerability which allows an attacker to crash the player or take control of an affected system. Adobe says that there are reports of this vulnerability being exploited in the wild as part of targeted email-based attacks which trick the user into clicking on a malicious file; this exploit only targets Flash Player on Internet Explorer on Windows, though the vulnerability exists on Windows, Mac OS X, Linux and Android versions of the player.

An update to Adobe Flash Player 11.2.202.235 on Windows, Mac OS X and Linux should be applied by anyone running version 11.2.202.233 or earlier. The version of Flash player being run can be verified by visiting the Flash Player About page and can be obtained from Adobe's Flash Player Download page. Windows users should be able to also activate the silent update recently introduced to Flash Player.

Google Chrome's Flash Player has already been updated automatically. Android users should, depending on their version of Android, update their players; Android 4.0 users running 11.1.115.7 and earlier should update to 11.1.115.8 and Android 3.0 users running 11.1.111.8 and earlier should update to 11.1.111.9. In either case, users should browse to Google Play and its Flash Player page for the update.

Fake Google Iranian domain defaced by Algerian Script Kiddies

2012-05-04T00:31:00.001+04:30

TheHackerNews: Google got Pwned ? NO Few Algerian Script Kiddies try to spread fake rumors that they Hack and Deface the Giant Search engine "Google Iranian" domain http://www.google.co.ir/ . As the screenshot shown a Algerian flag on it and Page Titles : "H4Ck3D By vaga-hacker dz and DR.KIM".

As mentioned by hacker, the team include hackers named : "V4Ga-Dz,Dz0ne,DR-KIM King-Dz,BroX0 aghilass elite jrojan password kha&mix wasim -dz" . It is not confirmed that, either these are member from some Anonymous Hackers but they try to use Anonymous Hackers Tag line : We Dont Forget , We Dont Forgive, Expect Us! to get some publicity.

According to further investigation by "The Hacker News" Technical Team, we found that "google.co.ir" possibly not belongs to GOOGLE because site rank is "3141379" , that means the site should have less than 100 Visitors/Day approx. Also we check WHO.IS records of this domain and found that Domain Holder is "Ganjineh ofogh omid gostar laleh eshragh" which is registered using a Google mail "sellinform110@gmail.com" and Phone No. is : 09377705008 .

May be some Readers are thinking that Hacking a Google domain is not possible, so here we have something for you from past, last year Google Bangladesh website (Google.com.bd) was also Hacked by TiGER-M@TE using DNS hijacking method.

Windows Live is dead, long live Windows Live

2012-05-04T00:17:00.001+04:30

Cross-posted from BetaNews: In a blog post on Wednesday, President of Microsoft's Windows division Steven Sinofsky announced the seven-year old Windows Live brand is being retired.

Do not be mistaken, there are more than 500 million users of the various Microsoft services that fall under the general classification of Windows Live. They are alive and well.

The brand and the concept of Windows Live as a whole, however, is antiquated in this mobile-driven era, and Microsoft is finally halting the differentiation.

"Windows Live services and apps were built on versions of Windows that were simply not designed to be connected to a cloud service for anything other than updates, and as a result, they felt 'bolted on' to the experience," Sinofsky said. "This created some amount of customer confusion, which is noted in several reviews and editorials. The names we used to describe our products added to that complexity: we used 'Windows Live' to refer to software for your PC (Windows Live Essentials), a suite of web-based services (Hotmail, SkyDrive, and Messenger), your account relationship with Microsoft (Windows Live ID), and a host of other offers."

The Windows Live brand has grown to encompass a user's Microsoft account that spans both Windows Live and Xbox Live services, Hotmail/Livemail, Messenger, SkyDrive, Calendar, Windows Contacts, the Live Essentials suite of desktop applications such as Windows Live Photo, Live Movie Maker, Live Writer, Live Mesh, and Live Mail.

Microsoft is retiring the idea of "connected services" versus completely insular ones, and is using the mobile world's most common dividing line: there are apps, and then there are Web apps. This is how services will be broken down and branded for Microsoft.

Firefox WebSocket bug compromises Tor anonymity

2012-05-03T18:27:00.001+04:30

The current versions of the Tor Browser Bundle (TBB) include a bug that makes it possible for information about visited web sites to leak out of the anonymising layer. On version 2.2.35-9 of TBB for Windows and version 2.2.35-10 for Mac OS X and Linux, the included version of Firefox does not send DNS requests over the Tor network if the browser is using the WebSocket protocol. This means that an attacker listening in on the connection will be able to identify the servers the user is visiting.

The only workaround for the problem currently is to completely disable the use of WebSocket in the browser. Users can do this by accessing Firefox's advanced configuration options by entering about:config in the address bar and changing the network.websocket.enabled option to "false".

The Tor developers are currently working on a fix for the security hole and will be releasing a new TBB version soon. More information on the issue can be found in the bug report on the Tor project's issue tracking system.

Iran makes its own anti-virus software - would you buy it?

2012-05-03T18:18:00.001+04:30

SophosLabs: According to reports, Iran has started making its own anti-virus software.

It is said that experts from Shiraz Computer Emergency Response Team of APA (Academic Protection and Awareness) of Iran have been working on the project to help better protect the country's digital defenses.

Of course, Iran is no stranger to malware. It found itself thrust into the spotlight in 2010 when the infamous Stuxnet worm was widely reported to have infected industrial plants (including nuclear plants) in the country with the seeming intention to target and sabotage SCADA systems.

This understandably led to some excitable - but not always accurate - headlines.

According to Mohammad Hossein Sheikhi, assistant professor of the Department of Electrical and Computer Engineering at the University of Shiraz, work on the anti-virus software began in 2010 after the Stuxnet crisis, and has since undergone testing.

According to reports, if the anti-virus software is confirmed to be a success it may be made commercially available at a later date.

It's unclear how Iran will determine if their home-grown anti-virus has been a true success or not.

Will they submit if for testing by independent tests by the likes of AV-Test.org? Will they send it to the folks at Virus Bulletin in the hope of winning a VB100 award for 100% detection of in-the-wild viruses with no false alarms? Will they test it on a wide variety of operating system versions and measure its impact on performance?

But the real question that springs to my mind is this - would you buy an anti-virus program officially written by your own country? How about a foreign country?

One thing's for sure - be careful if you are tempted to buy an anti-virus written by the Greek authorities. They do have a history of trojan horses after all..

If Iran *did* make its anti-virus software available, wouldn't other governments test it? After all, if you know that a country's infrastructure is partly reliant on a particular anti-virus product wouldn't any attacker automatically test if its malware and/or vulnerability exploit could bypass it?

OONI maps internet censorship on a global scale

2012-05-03T15:23:00.001+04:30

The H-Online: Tor developers Arturo Filasto and Jacob Appelbaum have been working on a new tool they call the OONI-probe. OONI stands for Open Observatory of Network Interference and is designed to help map internet censorship across the global network. The open source tool gives users the ability to check their internet connection for censorship, selective bandwidth throttling, surveillance and other interferences. This data can then be shared freely with other users, creating a global overview of the state of censorship of the network.

Filasto and Appelbaum said they were frustrated with the closed nature of either the code or the data collected by existing tools like Google's Transparency Report and that they wanted to correct this. The OONI project is in part funded with a grant from Radio Free Asia. The probe tool's source code has been released on GitHub under an unspecified open source license. According to Filastro, OONI's goal is "to build that open framework, so that researchers can independently prove that the methodology is valid and repeat the tests." The program has already been used by political activists and members of the press to confirm politically-motivated blocking of web sites at the ISP level.

The OONI-probe works by either checking a list of web sites (usually the top one million Alexa-ranked sites, which can take close to a week) or by setting up a network of machines in different locations and analyzing the data-flow between them. Anyone using the tool is volunteering to submit the collected information to the OONI web site which will eventually aggregate the results and make the data available to the public. This should then make it possible to see exactly what the internet looks like from any given country and what sites are blocked or have been altered.

OONI-probe is written in Python and further information on the program is available in its README file. The developers point out that while the tool works, it is still under heavy development and does not yet have a graphical user interface.

Phishers Offer Fake Storage Upgrades

2012-05-03T15:20:00.001+04:30

Symantec Connect: Customers of popular email service providers have been a common target for phishers for identity theft purposes. Phishers are constantly devising new phishing bait strategies in the hope of stealing user email addresses and passwords. In April 2012, Symantec observed phishing pages that mimicked popular email services in an attempt to dupe users with attractive storage plans.

Customers were flooded with fake offers of free additional storage space for services such as email, online photo albums, and documents. In the first example, the phishing site was titled “Welcome to New [BRAND NAME] Quota Verification Page”. According to the bogus offer, the additional storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The phishing page boasted that the free additional storage plan will help customers prevent loss of data and the inability to send and receive emails due to exhausted storage space. It also stated that the plan will auto-renew each year and the customer can choose to cancel at any time by returning to the same page:

To avoid customer suspicion when the bogus offer doesn’t materialize, phishers used a time-buying strategy. They indicated that customers would be contacted 30 days prior to renewal and also that the upgrade process will take effect in a 24-hour time span. After user credentials are entered, the phishing page redirected to a page which confirmed the upgrade was initiated and complete. The phishing page then redirected back to the legitimate service website:

Similar phishing pages were observed spoofing other email services. The phishing site in this second example is titled “Obtain Free Additional Storage”. The same bait was used here as well:

To gain customer trust, the email address field was auto-populated on the fake page and is also concealed in the query string. Looking deep into these scams, it is evident these phishing scams are targeted attacks. By randomizing the email address in the query string of the phishing URL, the same phishing page can be used for targeting multiple users. Below is the URL format:

http://*****/?name=email_address@domain.com&cid=email_address@domain.com

Internet users are advised to follow best practices to avoid phishing attacks:

Do not click on suspicious links in email messages.
Avoid providing any personal information when answering an email.
Never enter personal information in a pop-up page or screen.
When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
Frequently update your security software which protects you from online phishing.

Privacy concerns over popular ShowIP Firefox add-on

2012-05-01T19:58:00.001+04:30

Cross-posted from SophosLabs: A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.

Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.

According to the description on the Mozilla add-ons website, ShowIP is designed to "show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right click) and hostname (left click), like whois, netcraft, etc. Additionally you can copy the IP address to the clipboard."

Currently over 170,000 people are said to be using ShowIP.

What the add-on's description doesn't say is that since version 1.3 (released on April 19th 2012) it has also sent - unencrypted - the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info.org.

The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer.

SophosLabs researcher Xiaochuan Zhang examined the add-on, and observed the potential privacy breach in action. In the following example, he used Wireshark to view the network packets being sent and observed his request to visit a non-existent website "www.thisisapparentlyafakeservice.me" being shared with ip2info.org.

The full URL of every webpage visited is sent to the Germany-based ip2info.org website, using unencrypted connections.

In addition, the add-on has no warning that sites you visit might be disclosed, no privacy policy small print explaining its behavior, and no apparent way to opt-out of the data-sharing.

Sanders told Naked Security that the issue was reported on the add-on's Google Code project page on 22nd April, but has received no response. Despite the alert, version 1.4 of the ShowIP add-on has since been released - and still exhibits the same behavior.

Sanders said that he hoped the apparent privacy lapse was the case of naivety rather than a developer with more malicious intentions:

"I suspect it's the work of a very naive developer, but who knows nowadays. What bothers me most is how this code managed to get approved on the Mozilla Addons site (not once, but twice) and how it's still there 12 days later."

The ip2info.org website itself appears to be very new, having only been registered a month ago.

And who appears to have registered the domain? A Berlin-based link marketing firm.

Hmm.

We have asked the developers of ShowIP to comment on the apparent privacy issue, and will update this article with any response we receive.

Chrome 18 update closes high-risk security holes

2012-05-01T19:49:00.001+04:30

The H-Online: Google has released a new update to the stable 18.x branch of its Chrome web browser to close a number of security holes found in the application. The update, labelled 18.0.1025.168, addresses a total of five vulnerabilities, three of which are rated as "high severity" by the company.

These include use-after-free problems in floating point handling and the XML parser; all of these bugs were detected using the AddressSanitizer. As part of its Chromium Security Vulnerability Rewards program, Google paid a security researcher by the name of "miaubiz", who is number three in the company's Security Hall of Fame, $1,000 for discovering and reporting one of the float handling problems. Two medium risk problems related to IPC validation and a race condition in sandbox IPC have also been corrected.

Further information about the update can be found in the announcement post on the Google Chrome Releases blog. Chrome 18.0.1025.168 is available to download for Windows, Mac OS X and Linux from google.com/chrome; existing users can upgrade using the built-in update function.

Skype divulges user IP addresses

2012-04-30T21:36:00.001+04:30

The H-Online: According to a blog post, a modified version of the Skype VoIP software can be used to easily find out the IP address of any valid Skype user. No contact has to be made with the user in order to get the information. This IP could then be used to find out other personal details about the user, such as their location or even their employer.

With a certain registry key, the manipulated version of Skype will create a log file with information including other users' external and internal IP addresses. These IPs can be retrieved simply by opening up a user's profile with the Skype client. In a test conducted by The H's associates at heise Security, the log file always showed the correct IPs – and when a user was logged in with multiple clients, the IP addresses for all the clients were visible.

Shortly after this was discovered, a hacker known as "Zhovner" put together the skype-ip-finder.tk web service. After a CAPTCHA has been submitted, the service can be used to find out IPs even without the special Skype client, and therefore without having to use a valid Skype account.

The service uses a modified version of Skype's SkypeKit SDK that is currently only available via BitTorrent, and Zhovner has put the necessary Python scripts on GitHub. In a post on Hacker News, Zhovner says that Skype has already banned his account, likely because of his experiments.

Mozilla to auto-upgrade Firefox 3.6 users to version 12

2012-04-30T21:32:00.001+04:30

H-Online: Soon, users running Firefox 3.6.x will start being automatically upgraded to the current version 12.0 release of the open source web browser. The plan to auto-update these users has been being discussed since the end of March, when Mozilla Release Manager Alex Keybl proposed the move on a Mozilla planning discussion thread.

According to Keybl, Firefox 3.6.x users with updates enabled should start being upgraded in early May – the specific date has yet to be confirmed. The 3.6.x branch of Firefox, the first release of which arrived in January 2010, reached its end of life last week on 24 April; the last update to the 3.6 series was version 3.6.28 from early March.

For users and organizations that don't want to upgrade to version 12 of Firefox because of the Rapid Release process – which sees a new browser update every six weeks – Mozilla has an Extended Support Release (ESR) of Firefox specifically aimed at enterprises and other large organizations. The current Firefox ESR release, version 10.0.4, is based on Firefox 10.

Those who don't want to upgrade can turn off updates in Firefox – on Windows, updates can be disabled via Tools –> Options –> Advanced –> uncheck "Firefox" under "Automatically check for updates". Mac users can access these settings from Preferences under the Firefox menu; however, some Mac OS X users will not be able to upgrade from 3.6.x as newer versions of Firefox no longer support PowerPC-based systems or version 10.4 of the operating system.

This isn't the first time that Mozilla has opted to auto-update users: a year ago the organization decided to aggressively ended Firefox 3.5's life by using auto-update.

Warning: Fake Biophilla app on Android is malware

2012-04-27T15:35:00.001+04:30

Corss-posted from ZDNet: Summary: Cyber criminals have created a fake Biophilla app for Android that is really just malware in disguise. Your first red flag should be that Biophilla is officially available on iOS, but not on Android.

During April alone, we’ve already seen malicious versions of Angry Birds Space and Instagram in the wild. Both are Android apps that are really just malware designed to generate money from unsuspecting users by sending expensive international text messages. Now the same is happening with the popular Biophilla app.

Here’s the official description of the app:

Biophilia is an extraordinary and innovative multimedia exploration of music, nature and technology by the musician Björk. Comprising a suite of original music and interactive, educational artworks and musical artifacts, Biophilia is released as ten in-app experiences that are accessed as you fly through a three-dimensional galaxy that accompanies the album’s theme song Cosmogony. All of the album’s songs are available inside Biophilia as interactive experiences: Crystalline, Virus, Moon, Thunderbolt, Sacrifice, Mutual Core, Hollow, Solstice, and Dark Matter.

Björk recently invited hackers and pirates to port her app from iOS to other platforms, but somehow I don’t think Android malware is what she had in mind. Symantec identified the social engineering scam on third-party Android app download sites and described the malware as follows:

The app itself comes in two parts: the front-end, which has the ability to stream songs, and a background service with the name ‘Market’. Upon examination of the background service (designed to activate every time the phone starts) it appears to belong to the Android.Golddream family of threats. The authors of this family of threats are known to target third-party apps with malicious versions of popular apps, drawing revenue from premium SMS scams.

To reiterate, Biophilia is not available for Android. Some may have managed to port it illegally, but please beware that they may have included malware inside. If you want to get the official iOS version, get it from the official Apple App store. Here is the direct link: itunes.apple.com/app/bjork-biophilia/id434122935.